New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

[Solved] Is this iptables example correct?

Got problems with your B2 or B3? Share and get helped!
Post Reply
eramoli
Posts: 67
Joined: 15 Oct 2010, 13:06
Location: Sundbyberg, Sweden

[Solved] Is this iptables example correct?

Post by eramoli »

Hi All,

I am reading up on iptables and I thought I got it until I saw a description and the iptables commands. The description is as follows
allow our users to be able to access WWW servers on the Internet, but to allow no other traffic to be passed
The iptables commands that is supposed to do this is in the example

Code: Select all

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 --syn -j DROP
iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 --sport 80 -d 0/0 -j ACCEPT
iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 --dport 80 -s 0/0 -j ACCEPT
I do not understand how that can work, I tought that the iptables for doing what is described should look like the following.

Code: Select all

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m tcp -p tcp -s 0/0 -d 172.16.1.0/24 --syn -j DROP
iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 -d 0/0  --dport 80 -j ACCEPT
iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 -j ACCEPT
My understanding is that
* the third line should block incoming TCP establishments from all ports and IP addresses
* the fourth line should allow outgoing TCP connections to WWW servers on the internet
* and that the fifth line should allow responses to on connections created by internal node

Source ports on a web browser is a random number higher than 1024 and the port of a web server is in most cases port 80.

Is the original example correct or am I?

Best Regards,
Morgan
Last edited by eramoli on 07 Feb 2012, 01:34, edited 1 time in total.
Top
Gordon
Posts: 1465
Joined: 10 Aug 2011, 03:18

Re: Is this iptables example correct?

Post by Gordon »

Seems to me like a bad example, although it might serve a demonstrative purpose if it even had been correct. Your version is in this sense correct.

Thing is that the first rule is supposed to protect against a syn flood, but at the same time it expects a site that does bad things to send perfectly correct packets. It would be more logical to use iptables' connection tracker to just block any traffic that is initiated by an address connected to the WAN interface:

Code: Select all

iptables -A FORWARD -m state -p tcp -i eth0 --state NEW -j DROP
Then the fifth line says that you want to accept traffic that originates from port 80, but this is silly because the only traffic that can exist is already defined by the fact that it has to be initiated on the LAN and can only be with port 80 on the WAN side. You could get the same result if you made this an accept all rule, which is also silly because this would override the policy.

Check out the original firewall script on Bubba and note the following two lines:

Code: Select all

iptables -A FORWARD -i br0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Essentially this does the same as your example, with the exception that this accepts what we do want rather than blocking what we don't want (the policy will take care of that). If you'd want to limit traffic to allow http only, just change that first line to:

Code: Select all

iptables -A FORWARD -i br0 --dport 80 -j ACCEPT
Top
Post Reply

Return to “B2 & B3 Support”